Centralisation and shared access to electronic patient records under the national programme for IT should bring real benefits for patient safety.
Patients receive care from multiple outlets and it makes sense to allow all clinicians involved access to common data sources. But it is becoming increasingly clear that the price to pay for this modernisation is a significant loss of data security.
GPs fear that patients could lose confidence in records to such an extent that they begin to withhold information. If this occurs, the usefulness of records could be undermined. So is the price of modernisation worth paying?
Serious breaches of confidentiality have occurred already: a leading GP system supplier recently sacked an employee who accessed confidential patient records, and clinicians have abused access to records to look up data about family members (GP, 17 August).
Gathering data into larger units, allied with the extension of access to hundreds of thousands of NHS smartcard holders, could lead to confidentiality breaches of increasing severity.
The fears apply not just to shared summary records increasingly being moved into large data centres, as web-based IT systems with remotely-hosted data become the norm, but also to detailed records currently stored in GP practices.
Evidence submitted to a House of Commons Health Committee inquiry into the national programme for IT by experts from the UK Computing Research Committee warns that 'no system can be totally secure'.
It warns 'a single system accessible by all NHS employees from all trusts maximises rather than minimises the risk of a security breach. It increases the number of patients affected by the worst-case breach and increases the opportunity for access to any one patient's data from some point on the extended system'.
It also warns that websites allowing patients to view their own records will be vulnerable to 'password-cracking, phishing (dummy websites that trick patients into revealing personal data) or other standard attacks' by hackers.
Separate paper records?
GPC IT subcommittee chairman Dr Paul Cundy told GP he believed GPs would become more guarded about the information they enter into records, and could even begin to hold separate paper records not linked to the national system.
'GPs are likely to be more guarded - I think they will be-come more objective about what they record. The contextual in-formation, the chit-chat that they previously added into records may be left out,' he said.
Dr Cundy said it was difficult to assess the impact of 'subtle changes' to entering data. But he added that there was, 'in theory a danger that important clinical information may not be recorded'.
Asked whether there was a potential conflict between GMC requirements for GPs to record data and their obligations to maintain confidentiality of patient information, he said: 'The GMC requires certain sorts of data to be recorded, but it doesn't say where it should be recorded.
'I'm not suggesting people do this, but you could record data locally - outside the national electronic records.'
As a result, three layers of re-cords could emerge: national summary patient records, full electronic patient records held on regional data centre servers, and additional notes about sensitive issues held in the GP practice. 'It's a mess,' Dr Cundy said.
Patient trust undermined
Concerns about the evolution of IT are shared by GPC leaders. GPC deputy chairman Dr Richard Vautrey warned that a handful of high-profile breaches of confidentiality could scupper GPs' and patients' confidence in records.
'You only need a small number of cases to become public knowledge for people to lose confidence in records - patients could be less willing to divulge information, or they could request that it is not added to records, or GPs could decide not to add information because of fears about who might be able to see it. That would undermine the relationship between GPs and patients,' he added.
Dr Cundy said the 'gatekeeper' model that UK general practice is based on could be threatened. 'If patients stop trusting GPs, they will start to access healthcare in different ways - GPs will no longer be in the same position of influence, and will be unable to be as cost-effective.'
Ewan Davis, chairman of the British Computer Society's primary healthcare specialist group, said that for GPs to retain patients' trust, the national record system would have to enable some data to be entered that only the individual GP could access. 'For a small number of patients, disclosure of information could cause massive damage. The system needs to be built to cope with that,' he said.
Such measures could help convince GPs that the benefits of using the national systems outweigh the risks. Meanwhile, modernisation depends on enthusiasts such as Essex GP Dr Hugh Taylor, whose practice is moving soon to a remotely hosted system. 'The benefits of sharing data do outweigh the risks. I see no reason to limit recording of data at this stage.'
- Central records are a more attractive target for hackers.
- GPs may withhold data from records if they fear that electronic records are not properly secure.
- Solution could be a record 'envelope' that only individual doctors access.
Comment below and tell us what you think